Wednesday, July 15, 2009

Podcast: Crypto-Gram 15 September 2008: Security is not an investment that provides a return

from the Sep 15, 2008 Crypto-Gram Newsletterby Bruce Schneier

* Identity Farming

It seems to me that our data shadows are becoming increasingly distinct from us, almost with a life of their own. What's important now is our shadows; we're secondary. And as our society relies more and more on these shadows, we might even become unnecessary.

Our data shadows can live a perfectly normal life without us.

* Security ROI

Any business venture needs to demonstrate a positive return on investment, and a good one at that, in order to be viable.

Many corporate customers are demanding ROI models to demonstrate that a particular security investment pays off.

It's a good idea in theory, but it's a mostly bunk in practice.

"ROI" as used in a security context is inaccurate. Security is not an investment that provides a return, like a new factory or a financial instrument. It's an expense that, hopefully, pays for itself in cost savings. Security is about loss prevention, not about earnings. The term just doesn't make sense in this context.

The classic methodology is called annualized loss expectancy: ALE.Calculate the cost of a security incident in both tangibles like time and money, and intangibles like reputation and competitive advantage. Multiply that by the chance the incident will occur in a year. So, for example, if your store has a 10 percent chance of getting robbed and the cost of being robbed is $10,000, then you should spend $1,000 a year on security. Spend more than that, and you're wasting money. Spend less than that, and you're also wasting money.

Of course, that $1,000 has to reduce the chance of being robbed to zero in order to be cost-effective. If a security measure cuts the chance of robbery by 40 percent - to 6 percent a year - then you should spend no more than $400 on it. If another security measure reduces it by 80 percent, it's worth $800. And if two security measures both reduce the chance of being robbed by 50 percent and one costs $300 and the other $700, the first one is worth it and the second isn't.

Cybersecurity is considerably harder, because there just isn't enough good data. There aren't good crime rates for cyberspace

But there's another problem, and it's that the math quickly falls apart when it comes to rare and expensive events.

* Diebold Finally Admits its Voting Machines Drop Votes

It's unclear if this error is random or systematic. If it's random -- a small percentage of all votes are dropped -- then it is highly unlikely that this affected the outcome of any election. If it's systematic -- a small percentage of votes for a particular candidate are dropped -- then it is much more problematic.

* Full Disclosure and the Boston Fare Card Hack

The ethics of full disclosure are intimately familiar to those of us in the computer-security field. Before full disclosure became the norm, researchers would quietly disclose vulnerabilities to the vendors - who would routinely ignore them. Sometimes vendors would even threaten researchers with legal action if they disclosed the vulnerabilities.

Later on, researchers started disclosing the existence of a vulnerability but not the details. Vendors responded by denying the security holes' existence, or calling them just theoretical. It wasn't until full disclosure became the norm that vendors began consistently fixing vulnerabilities quickly. Now that vendors routinely patch vulnerabilities, researchers generally give them advance notice to allow them to patch their systems before the vulnerability is published. But even with this "responsible disclosure" protocol, it's the threat of disclosure that motivates them to patch their systems. Full disclosure is the mechanism by which computer security improves.